March 16, 2005

Observations on the CA market - Verisign to sell out?

It seems that Netcraft are having some success in aggregating the information collected from their toolbar community into an early warning sign of where phishers are heading. Reportage from them: online banking is being attacked by cross-site scripting. This is distinct to the traditional phishing in that it does now bring the bank and ecommerce site (note to Niham!) into the loop. Yet only in a small way; close that loophole and that puts the bank out of the defence business again.

Yet more importantly is the structural shift that is being signalled here.

Netcraft pushed out their toolbar back in the closing days of 2004. Now they have can use this info, a scant 10 weeks later. This changes the balance of power in cert-based security, and CAs will be further be marginalised by this development. Here's the article followed by more observations:

Phishing Attacks reported by members of the Netcraft Toolbar
community show that many large banks are neglecting to take
sufficient care with the development and testing of their online
banking facilities.

Well known banks have created an infestation of application bugs and
vulnerabilities across the Internet, allowing fraudsters to insert
their data collection forms into bona fide banking sites, creating
convincing frauds that are undetectable to most customers. Indeed, a
personal finance journalist writing for The Motley Fool was brave
enough to publicly admit to having fallen for a fraud running on
Suntrust's site and having her current account cleaned out. It's a
reasonable premise that if a Motley Fool journalist can fall for a
fraud, anyone can.

One fraud recently blocked by the Netcraft Toolbar was at Citizens
Bank. Fraudsters composed and mass mailed a phishing mail which
exploited a program on CitizensBank.com, loading Javascript from the
attackers' server hosted at Telecom Italia. Customers were presented
with a page bearing the CitizensBank.com URL in the address bar,
while the browser window displays a form from the Telecom Italia
server asking for user login information.

The script being exploited allows visitors to search for Citizens
Bank branch offices in their town. Along with search scripts, branch
locator pages are frequently carelessly coded and are targets for
fraudsters who are actively analyzing financial web sites for
weaknesses.

Another thought occurred to me. I wrote last night in Mozilla's bug fix forum "There is no centralised database of certs by which a CA can know whether an application for a new cert is likely to conflict (paraphrased)." This is because CAs do not cooperate and will never cooperate at that level (as customer theft will be the obvious result).

This balkanisation of CAs means that any security fixups must align with those borders. An attack on an ecommerce site using certs will come via another CA. If I was to attack GMail, I wouldn't go to Equifax for my cert, I'd go to Comodo. Or VeriSign, or some other... (And yes, I'd ask for GMall.com and present my forged paperwork for that company. But let's skip over the boring details of how we trick a CA.)

So it is crucial that the browser shows which CA signed the cert. Along with other things as suggested here by Peter Gutmann, in a discussion on how to detect and discriminate rogue CAs, a priori:

In other words, this problem [of differentiating between "high" assurance and "low" assurance] is way, way up in the political layer, and I can't see any way of resolving it. It'd certainly be a good idea to make some distinction, but it's not a productive area to apply effort. It'd be better to look at some of the work on secure UI design (e.g. anything by Ka-Ping Yee, Simpson Garfinkel's thesis, etc etc). Work on the stuff that's solveable and leave this one as a honeynet for the bureaucrats to prevent them from causing any damage elsewhere.

That will do more for security than any certificate-nitpicking ever will (the anti-phishing list at Gerv's site should be adopted as the #1 - #5 security features to be added to Mozilla/Firefox). After you've implemented those, you can still work on the titanium-plated kryptonite certificate support. Conversely, no amount of diamond-studded iridium certificates will do you any good without anti-phishing/spoofing measures like the above being used.

Peter.

If there is a God of Cryptoplumbing, then Peter Gutmann is he, and he has spoken. We now seem to be on our way to a manifesto of ideas. Perhaps we should take that further...

Getting back to the crucial point here, I claimed there was no centralised database. But, it turns out that there is a database - the net. Sure, it ain't centralised, but (and here's the clanger) it is trawled on a daily basis for certs. By two parties at least that I know of: Netcraft and SecuritySpace. And as a consequence both of these parties have (implied) centralised databases, and have an ability to answer the question "is this new application for a cert likely to be a phishing attack?"

Now, if you are a net technie, that will likely be a purile observation. But if you are the CEO of a Certificate Authority, then the ground just rumbled under your feet. If these two players can pull this off then the CA just got so marginalised that the commoditisation that we've seen with Comodo and GoDaddy, and also with CACert but in a different direction ... well, all that falls into the class of "you ain't seen nothing yet!"

Which leads me to my final observation. (Techie warning. What follows is all bizspeak, sorry about that.) As CAs are inevitably marginalised by the above development, and by their failure to protect the net from the arisal of phishing - a direct MITM on the browser - then the big bucks players will rethink their strategy. That of course means Verisign.

There are two possible paths here. Path One is that the branding opportunities turn up in time (watch Microsoft here) for the CA business to reverse its fortunes and become a media space player. In this scenario, players spend on advertising, and start to build their brands as quality and security (which means they take a proactive approach to watching applications for certs). But they can only do this if a) the branding turns up, b) they can get more investment, and thus c) they can show a massive market increase and thus d) the commody certificate leads to a discriminated market place of much greater size.

That's not as far off as we think, as part a) also leads to part d) in market terms.

Then there is Path Two. Phishing gets bigger, and some poor Alice in the US loses her house over it. Her attornies say "this can't go on and we can help you stop it!" (Proving that the USA leads in genetic engineering, their attornies lack any capability to say "I don't know / I can't help you.")

Boom, class action suit on phishing is filed against the bank, the browser manufacturer, the cert suppliers (both, or all) and to cap things off, the people who designed the system. The potential class size is about 1 million americans, give or take. Total losses are in billions, over a few years. Add punitive damages if it goes badly, and the case showed that the architects should have known better.

Potential payout is from 100m to 10b, depending. So it is big enough to encourage salivation, but it's also big enough to break any but the bank players (who themselves are just victims so they aren't likely to lie down and die) and Microsoft.

Now, cast all these ingredients into the pot and what do you have? The cards just got totally reshuffled on the CA business. Which means that the biggest player, Verisign, will have the biggest problem. This is compounded (should I say exponentiated?) by several issues:

Verisign is a complex business, and doesn't need uncertainty in one of its units

Verisign has profitable lines elsewhere, but certs can't be that profitable

Verisign was one of the architects and also one of the prime beneficiaries of the system of secure browsing in place today

Against that we have an uncertain and never fully monetarised synergy from certs, domains, NetDiscovery and lots of other "strategic control" businesses under the umbrella.

To me, this says one thing: Verisign will sell the CA business. They will do it to limit the damages from future litigation, and because the ground is shifting too fast for their complex business to benefit from. Further, CAs as "strategic controls" are being marginalised. It's no longer core, and it's darn risky.

With regard to the supposed risk of CA's issuing duplicate certs, has that been a problem? You are always complaining that we defend against MITM when it hasn't been a significant attack model, but what about this case, is it something to really worry about?

And did you read what Peter Gutmann said about this idea? "It'd certainly be a good idea to make some distinction, but it's not a productive area to apply effort." Not exactly a ringing endorsement - not a productive area to apply effort!

Yes, I suppose that's true - in that direct MITMs using certs taken from distinct CAs haven't happened in any aggressive sense. We could leave it until then, that is certainly a possibility, and some would say a likelihood.

(Maybe I'm thinking too strategically, too many moves ahead. If the phishers are forced onto SSL, then I don't see it will slow them down much. And there is enough of them that it could be pretty disastrous to confidence in SSL.)

As to what Peter Gutmann said, he was referring not to fighting the MITM, but to the notion of "high"/"low" certs. I've made an annotation to that effect, thanks.